No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
CMPv2

CMPv2

Certificate Management Protocol version 2 (CMPv2) implements the following functions:
  • Manages components in a public key infrastructure (PKI).
  • Implements online interaction between components in a PKI.
  • Defines CMP packets related to certificate generation and management, such as certificate application, certificate revocation, key update, key recovery, and cross-authentication packets.
NOTE:

In a PKI, the device functions as an end entity. This section describes the end entity operations defined by CMPv2.

CMPv2 manages digital certificates for end entities, including initial request (IR), certificate request (CR), key update request (KUR), and polling.

IR

IR is performed when an end entity applies for the first certificate from a certificate authority (CA).

The end entity can apply for a certificate manually in outband mode or online by using CMP. The former method takes a long time, and the certificate is difficult to update. Therefore, the device applies for a certificate online by using CMP.

Figure 17-4 shows how an end entity applies for the first certificate online by using CMP.

Figure 17-4 IR process

An end entity applies for the first certificate from a CA as follows:

  • The end entity generates a key pair.
  • The end entity sends an IR packet to the CA to request the first certificate.
  • After receiving the IR packet, the CA authenticates the packet. If the authentication succeeds, the CA generates a certificate and sends a reply packet to the end entity.
  • After receiving the reply packet, the end entity authenticates the packet. If the authentication succeeds, the end entity sends a certificate confirmation packet to the CA.
  • After receiving the certificate confirmation packet, the CA authenticates the packet. If the authentication succeeds, the CA sends a PKI confirmation packet to the end entity.
  • After receiving the PKI confirmation packet, the end entity authenticates the packet. If the authentication succeeds, IR is completed.

During the preceding process, all packets transmitted between the end entity and the CA must be authenticated using either the end-entity-generated key pair or the supplier-provided certificate.

NOTE:

The device supports only authentication using the supplier-provided certificate.

The supplier-provided certificate refers to a digital certificate that uniquely identifies an end entity. This digital certificate is issued by the supplier's CA. After a customer buys the end entity, the customer does not use the supplier-provided certificate any longer. Instead, the customer applies for a new digital certificate from a trusted CA by sending an IR request defined by CMPv2.

KUR

For security consideration, a key pair needs to be changed periodically. Each certificate has a validity period. When a certificate expires, it is revoked, and you must apply for a new one. The KUR function can update key pairs and certificates.

The key update request (KUR) interaction process is the same as the initial authentication process.

Polling

After receiving a request packet (an IR, CR, or KUR packet) from an end entity, a CA sends a reply packet with the PKI status set to Waiting if it cannot respond to the request packet immediately. Then, the end entity sends polling requests to check whether a certificate is generated.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12718

Downloads: 31

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next